Netopia 2200 series Software User's Manual

For 2200 and 3300 series gateways

Table of Contents

Quick Links

Netopia

Software User Guide

Version 7.6

Netopia

2200 and 3300 Series Gateways

April 2006

Table of Contents

Troubleshooting

Summary of Contents for Netopia 2200 series

Page 1 ® Netopia Software User Guide Version 7.6 Netopia ® 2200 and 3300 Series Gateways April 2006...
Page 2: Copyright
Netopia, the Netopia logo, and 3-D Reach are registered trademarks belonging to Netopia, Inc., registered U.S. Patent and Trademark Ofﬁce. Broadband Without Boundaries is a trademark belonging to Netopia, Inc. All other trademarks are the property of their respec- tive owners. All rights reserved.
Page 3: Table Of Contents
INSTALLATION DER TELEKOMMUNIKATION ....21 Setting up the Netopia Gateway ......22 Microsoft Windows: .
Page 4 Table of Contents Status Details ..........34 Enable Remote Management .
Page 5 Firewall ..........125 Use a Netopia Firewall ....... . 125 BreakWater Basic Firewall .
Page 6 Table of Contents SafeHarbour IPSec VPN ........131 Configuring a SafeHarbour VPN .
Page 7 Step 1: Required Files ........181 Step 2: Netopia firmware Image File ......181 Install Keys .
Page 8 Table of Contents Command Line Interface ..... . . 221 CHAPTER 6 Overview ......... 222 Starting and Ending a CLI Session .
Page 9 Table of Contents Default IP Gateway Settings ......254 IP-over-PPP Settings ....... . 254 Static ARP Settings .
Page 10 Table of Contents Glossary ....... . . 311 CHAPTER 7 -----A----- .
Page 11 Network Address Translation (NAT)..... . 339 Netopia Advanced Features for NAT ..... 341 Internal Servers .
Page 12 Table of Contents VPN IPSec Pass Through ......343 VPN IPSec Tunnel Termination......344 Stateful Inspection Firewall .
Page 13: Introduction
What’s New in 7.6 CHAPTER 1 Introduction What’s New in 7.6 New in Netopia Firmware Version 7.6 are the following features: • TR-069 CLI Enhancements. See “TR-069” on page 300. • Variable wireless transmission power control CLI command. See page 293.
Page 14: About Netopia Documentation
LAN to have public addresses directly on the Internet. Netopia, Inc. provides a suite of technical information for its 2200- and 3300-series family of intelligent enterprise and consumer Gateways. It consists of: •...
Page 15: Documentation Conventions
Denotes an area of emphasis on a Web page solid rounded rectangle with an arrow Command Line Interface Syntax conventions for the Netopia Gateway command line interface are as follows: Convention Description straight ([ ]) brackets in cmd line Optional command arguments...
Page 16 curly ({ }) brackets, with values sep- Alternative values for an argument are pre- arated with vertical bars (|). sented in curly ({ }) brackets, with values separated with vertical bars (|). User-entered text bold terminal type face Variables for which you supply your own val- italic terminal type face...
Page 17: Organization
This guide consists of nine chapters, including a glossary, and an index. It is organized as follows: Chapter 1, “Introduction” — Describes the Netopia document suite, the purpose of, • the audience for, and structure of this guide. It gives a table of conventions.
Page 19: Basic Mode Setup
Most users will ﬁnd that the basic Quickstart conﬁguration is all that they ever need to use. This section may be all that you ever need to conﬁgure and use your Netopia Gateway. The following instructions cover installation in Router Mode.
Page 20: Important Safety Instructions
Important Safety Instructions POWER SUPPLY INSTALLATION Connect the power supply cord to the power jack on the Netopia Gateway. Plug the power supply into an appropriate electrical outlet. ☛ CAUTION: Depending on the power supply provided with the product, either the direct plug-in power supply blades, power supply cord plug or the appliance coupler serves as the mains power disconnect.
Page 21: Wichtige Sicherheitshinweise
Wichtige Sicherheitshinweise Wichtige Sicherheitshinweise NETZTEIL INSTALLIEREN Verbinden Sie das Kabel vom Netzteil mit dem Power-Anschluss an dem Netopia Gateway. Stecken Sie dann das Netzteil in eine Netzsteckdose. ☛ Achtung: Abhängig von dem mit dem Produkt gelieferten Netzteil, entweder die direkten Steckernetzgeräte, Stecker vom Netzkabel oder der Gerätekoppler dienen als...
Page 22: Setting Up The Netopia Gateway
Setting up the Netopia Gateway Refer to your Quickstart Guide for instructions on how to connect your Netopia gateway to your power source, PC or local area network, and your Internet access point, whether it is a dedicated DSL outlet or a DSL or cable modem. Different Netopia Gateway models are supplied for any of these connections.
Page 23 Setting up the Netopia Gateway b. Some Windows Start menu -> Control Panel -> Network and Internet Connections -> versions follow a Network Connections -> Local Area Connection -> Properties -> Inter- path like this: net Protocol [TCP/IP] -> Properties Then go to Step 2.
Page 24: Macintosh Macos 8 Or Higher Or Mac Os X
Macintosh MacOS 8 or higher or Mac OS X: Step 1. Access the TCP/IP or Network control panel. a. MacOS follows a Apple Menu -> Control Panels -> TCP/IP Control Panel path like this:...
Page 25 Apple Menu -> System Preferences -> Network a path like this: Then go to Step 2. Step 2. Select Built-in Ethernet Step 3. Select Conﬁgure Using DHCP Step 4. Close and Save, if prompted. Proceed to “Conﬁguring the Netopia Gateway” on page...
Page 26: Configuring The Netopia Gateway
Gateway. The User account provides monitor capability only. • A user may NOT change the conﬁguration, perform upgrades or invoke maintenance functions. For the security of your connection, an Admin password must be set on the Netopia unit.
Page 27: Miavo Vdsl And Ethernet Wan Models Quickstart
Configuring the Netopia Gateway MiAVo VDSL and Ethernet WAN models Quickstart The browser then displays the Quickstart page. Click the Connect to the Internet button. Once a connection is established, your browser is redirected to your service provider’s home page or a registration page on the Internet.
Page 28: Pppoe Quickstart
Once you enter your username and password here, you will no longer need to enter them whenever you access the Internet. The Netopia Gateway stores this information and automatically connects you to the Internet. The Gateway displays a message while it conﬁgures itself.
Page 29 Configuring the Netopia Gateway When the connection succeeds, your browser will display a success message. Once a connection is established, your browser is redirected to your service provider’s home page or a registration page on the Internet. Congratulations! Your installation is complete. You can now surf to your favorite Web sites by typing an URL in your browser’s location box or by...
Page 30: Netopia Gateway Status Indicator Lights
Netopia Gateway Status Indicator Lights Colored LEDs on your Netopia Gateway indicate the status of various port activity. Different Gateway models have different ports for your connections and different indicator LEDs. The Quickstart Guide accompanying your Netopia Gateway describes the behavior of the various indicator LEDs.
Page 31: Home Page - Basic Mode
Home Page - Basic Mode Home Page - Basic Mode After you have performed the basic Quickstart conﬁguration, any time you log in to your Netopia Gateway you will access the Netopia Gateway Home Page. http://192.168.1.254 You access the Home Page by typing in your Web browser’s loca-...
Page 32 The Home Page displays the following information in the center section: Item Description This is the unique serial number of your Gateway. Serial Number This is the version number of the current embedded software in your Gate- Software way. Release This is the date that your Gateway was installed and enabled.
Page 33: Manage My Account
Home Page - Basic Mode Link: Manage My Account You can change your ISP account information for the Netopia Gateway. You can also man- age other aspects of your account on your service provider’s account management Web site. Manage My Account Click on the link.
Page 34: Status Details
Link: Status Details If you need to diagnose any problems with your Netopia Gateway or its connection to the Internet, you can run a sophisticated diagnostic tool. It checks several aspects of your physical and electronic connection and reports its results on-screen. This can be useful for troubleshooting, or when speaking with a technical support technician.
Page 35: Enable Remote Management
This link allows you to authorize a remotely-located person, such as a support technician, to directly access your Netopia Gateway. This is useful for ﬁxing conﬁguration problems when you need expert help. You can limit the amount of time such a person will have access to your Gateway.
Page 36: Expert Mode
Most users will ﬁnd that the basic Quickstart conﬁguration is all that they ever need to use. Some users, however, may want to do more advanced conﬁguration. The Netopia Gateway has many advanced features that can be accessed and conﬁgured through the Expert Mode pages.
Page 37: Update Firmware
Home Page - Basic Mode Link: Update Firmware (This link is not available on the 3342/3352 models, since ﬁrmware updates must be upgraded via the USB host driver.) Periodically, the embedded ﬁrmware in your Gateway may be updated to improve the oper- ation or add new features.
Page 38: Factory Reset
Link: Factory Reset In some cases, you may need to clear all the conﬁguration settings and start over again to program the Netopia Gateway. You can perform a factory reset to do this. Factory Reset Click on to reset the Gateway back to its original factory default settings.
Page 39: Chapter 3 Expert Mode
Accessing the Expert Web Interface CHAPTER 3 Expert Mode Using the Expert Mode Web-based user interface for the Netopia 2200- and 3300-series Gateway you can conﬁgure, troubleshoot, and monitor the status of your Gateway. Accessing the Expert Web Interface Open the Web Connection...
Page 40 Click on the Expert Mode link in the left-hand column of links. You are challenged to conﬁrm your choice. Click The Home Page opens in Expert Mode.
Page 41: Home Page - Expert Mode
Accessing the Expert Web Interface Home Page - Expert Mode The Home Page is the summary page for your Netopia Gateway. The toolbar at the top pro- vides links to controlling, conﬁguring, and monitoring pages. Critical conﬁguration and oper- ational status is displayed in the center section.
Page 42: Home Page - Information
Serial Number Unique serial number, located on label attached to bottom of unit Software Version Release and build number of running Netopia Operating System. Product ID Refers to internal circuit board series; useful in determining which software upgrade applies to your hardware type.
Page 43 Accessing the Expert Web Interface DHCP Server On or Off. ON if using DHCP to get IP addresses for your LAN client machines. DHCP Leases A “lease” is held by each LAN client that has obtained an IP address through DHCP.
Page 44: Toolbar
Toolbar The toolbar is the dark blue bar at the top of the page containing the major navigation but- tons. These buttons are available from almost every page, allowing you to move freely about the site. Home Conﬁgure Troubleshoot Security Install Restart Help...
Page 45: Restart
Restart Restart Button: Restart The Restart button on the toolbar allows you to restart the Gateway at any time. You will be prompted to conﬁrm the restart before any action is taken. The Restart Conﬁrmation mes- sage explains the consequences of and reasons for restarting the Gateway.
Page 46: Alert Symbol
Link: Alert Symbol The Alert symbol appears in the upper right corner if you make a database change; one in which a change is made to the Gateway’s conﬁguration. The Alert serves as a reminder that you must Save the changes and Restart the Gateway before the change will take effect.
Page 47: Help
Help Help Button: Help Context-sensitive Help is provided in your Gateway. The page shown here is displayed when you are on the Home page or other transitional pages. To see a context help page example, Security -> Passwords Help go to , then click...
Page 48: Configure
Conﬁgure Button: Conﬁgure The Conﬁguration options are presented in the order of likelihood you will need to use them. Quickstart is typically accessed during the hardware installation and initial conﬁgu- ration phase. Often, these settings should be changed only in accordance with infor- mation from your Service Provider.
Page 49 Configure Connect to the Internet Click A brief message is displayed while the Gateway attempts to establish a connection. When the connection succeeds, your browser will display your Service Provider’s home page. If you encounter any problems connecting, refer to the chapters “Basic Troubleshooting”...
Page 50: Lan
Link: * Enable Interface: Enables all LAN-connected computers to share resources and to con- nect to the WAN. The Interface should always be enabled unless you are instructed to dis- able it by your Service Provider during troubleshooting. * IP Address: The LAN IP Address of the Gateway. The IP Address you assign to your LAN interface must not be used by another device on your LAN network.
Page 51 Configure • Advanced: Clicking on the Advanced link displays the Advanced LAN IP Interface page. • IGMP Forwarding: The default setting is Disabled. If you check this option, it will enable Internet Group Management Protocol (IGMP) multicast forwarding. IGMP allows a router to determine which host groups have members on a given network segment.
Page 52 Netopia Gateway. If enabled, statically addressed LAN hosts that have an address out- side of LAN subnets will be able to communicate via the Router’s WAN interface to the Internet.
Page 53: Wireless
Configure Wireless (supported models) If your Gateway is a wireless model (such as a 3347W) you can enable or disable the wire- Wireless less LAN (WLAN) by clicking the link. Wireless functionality is enabled by default. If you uncheck the Enable Wireless checkbox, the Wireless Options are disabled, and the Gateway will not provide or broadcast any wireless LAN services.
Page 54: Privacy
☛ NOTE: On the 2200-Series Gateways, WEP-Manual privacy is enabled by default. Use the Netopia Installation Wizard on the accompanying Netopia CD to gener- ate WEP keys for connecting wireless client computers. Privacy • Off - No Privacy provides no encryption on your wireless LAN data.
Page 55 Configure The Pre Shared Key is a passphrase shared between the Router and the clients and is used to generate dynamically changing keys. The passphrase can be 8-63 characters or up to 64 hex characters. It is recommended to use at least 20 characters for best secu- rity.
Page 56 Submit Click the button. The Alert icon appears. Save and Restart Click the Alert icon, and then the link.
Page 57: Advanced
Configure Advanced Advanced link, the advanced 802.11 Wireless Settings page appears. If you click the Note: This page displays different options depending on which form of Privacy or other...
Page 58 Access Point beacons. If an Access Point beacon is detected on the same channel, the Netopia Gateway will initiate a three- to four-minute scan of the channels, locate a better one, and switch. Once it has switched, it will remain on this channel for at least 30 minutes before switching again if another Access Point is detected.
Page 59: About Closed System Mode
WEP encryption enabled, and must have the same WEP encryption key as the Netopia Gateway. Once the Netopia Gateway is located by a client computer, by setting the client to a match- ing SSID, the client can connect immediately if WEP is not enabled. If WEP is enabled then the client must also have WEP enabled and a matching WEP key.
Page 60 Block Wireless Bridging: Check the checkbox to block wireless clients from communicat- ing with other wireless clients on the LAN side of the Gateway. • WEP - Manual allows you to enter your own encryption keys manually. This is a difﬁcult process, but only needs to be done once.
Page 61: Wpa Version Allowed
Configure Encryption Key #1 – #4: The encryption keys. You enter keys using hexadecimal digits. For 40/64bit encryption, you need ten digits; 26 digits for 128bit, and 58 digits for 256bit WEP. Hexadecimal characters are 0 – 9, and a – f. Examples: •...
Page 62: Multiple Ssids
Multiple SSIDs The Multiple Wireless SSIDs feature allows you to add additional network identiﬁers (SSIDs or Network Names) for your wireless network. Multiple SSIDs To enable Multiple Wireless SSIDs, click the link. When the Multiple Wireless SSIDs screen appears, check the Enable SSID checkbox for each SSID you want to enable.
Page 63: Wireless Mac Authorization
Configure Privacy modes available from the pull-down menu for the multiple SSIDs are: WPA-PSK, WPA-802.1x, or Off-No Privacy. WEP can also be selected on the additional SSIDs as long as it is not used on the primary SSID. WEP can only be used on one SSID, so any oth- ers will not have WEP available.
Page 64 MAC Authorization To enable Wireless MAC Authentication, click the link. When the Wireless MAC Authentication screen appears, check the Enable Wireless MAC Authorization checkbox: The screen expands as follows: Click the button. The Authorized Wireless MAC Address Entry screen appears.
Page 65 Configure Enter the MAC (hardware) address of the client PC you want to authorize for access to your wireless LAN. The Allow Access? checkbox is enabled by default. Unchecking this check- Submit box speciﬁcally denies access from this MAC address. Click the button.
Page 66: Use Radius Server
Use RADIUS Server RADIUS servers allow external authentication of users by means of a remote authentica- tion database. The remote authentication database is maintained by a Remote Authentica- tion Dial-In User Service (RADIUS) server. In conjunction with Wireless User Authentication, you can use a RADIUS server database to authenticate users seeking access to the wire- less services, as well as the authorized user list maintained locally within the Gateway.
Page 67 Configure The Advanced Network Conﬁguration page appears. You access the RADIUS Server conﬁguration screen from the Advanced Network Conﬁgura- RADIUS Server tion web page, by clicking the link.
Page 68: Wan
Link: WAN IP Interfaces Your IP interfaces are listed. Click on an interface to conﬁgure it. IP Gateway Enable Gateway: You can conﬁgure the Gateway to send packets to a default gateway if it does not know how to reach the destination host. Interface Type: If you have PPPoE enabled, you can specify that packets destined for unknown hosts will be sent to the gateway being used by the remote PPP peer.
Page 69 RFC-1483 Routed IP None Netopia Firmware Version 7 supports VPI/VCI autodetection by default. If VPI/VCI auto- detection is enabled, the ATM Circuits page displays VPI/VCI = 0. If you conﬁgure a new ATM VPI/VCI pair, upon saving and restarting, autodetection is disabled and only the new VPI/VCI pair conﬁguration will be enabled.
Page 70 You can choose UBR (Unspeciﬁed Bit Rate), CBR (Constant Bit Rate), or VBR (Variable Bit Rate) from the pull-down menu and set the Peak Cell Rate (PCR) in the editable ﬁeld. UBR (Unspeciﬁed Bit Rate) guarantees no minimum transmission rate. Cells are transmitted on a “best effort”...
Page 71 Configure ☛ Note: The difference between VBR-rt and VBR-nrt is the tolerated Cell Delay Varia- tion range and the provisioned Maximum Burst Size. Class Transmit Priority Comments PCR is a cap High PCR is a guaranteed rate High PCR > SCR. SCR is a guaranteed rate.
Page 72: Advanced
Link: Advanced Selected Advanced options are discussed in the pages that follow. Many are self-explana- tory or are dictated by your service provider. The following are links under Conﬁgure -> Advanced:...
Page 73: Ip Static Routes
Configure Link: IP Static Routes A static route identiﬁes a manually conﬁgured pathway to a remote network. Unlike dynamic routes, which are acquired and conﬁrmed periodically from other routers, static routes do not time out. Consequently, static routes are useful when working with PPP, since an intermittent PPP link may make maintenance of dynamic routes problematic.
Page 74 Gateway: Enter the IP address of the gateway for the static route. The default gateway • must be located on a network connected to your Netopia Gateway conﬁgured interface. • Metric: Speciﬁes the hop count for the static route. Enter a number from 1 to 15 to indi- cate the number of routes (actual or best guess) a packet must traverse to reach the remote network.
Page 75: Ip Static Arp
Configure , switch to the Save Changes page, and When you are ﬁnished, click the Alert icon Save Changes click the link. Link: IP Static ARP Your Gateway maintains a dynamic Address Resolution Protocol (ARP) table to map IP addresses to Ethernet (MAC) addresses. It populates this ARP table dynamically, by retriev- ing IP address/MAC address pairs only when it needs them.
Page 76: Configure Specific Pinholes
This requires passing three kinds of speciﬁc IP trafﬁc through to your LAN. Application 1 : You have a Web server located on your LAN behind your Netopia Gateway and would like users on the Internet to have access to it. With NAT “On”, the only externally visible IP address on your network is the Gateway’s WAN IP (supplied by your Service Pro-...
Page 77 Configure ☛ TIPS for making Pinhole Entries: 1. If the port forwarding feature is required for Web services, ensure that the embedded Web server’s port number is re-assigned PRIOR to any Pinhole data entry. 2. Enter data for one Pinhole at a time. 3.
Page 78 A diagram of this LAN example is: Gateway my-webserver Internet 192.168.1.1 Ethernet Interface 210.219.41.20 Ethernet Interface my-mailserver 192.168.1.2 NAT Pinholes Embedded Web Server my-games 210.219.41.20:8100 192.168.1.3 You can also use the LAN-side address of the Gateway, 192.168.1.x:8100 to access the web and 192.168.1.x:23 to access the telnet server.
Page 79: Pinhole Configuration Procedure
-> link, select the Servers link. Since Port Forwarding is required for this example, the Netopia embedded Web server is conﬁgured ﬁrst. ☛ NOTE: The two text boxes, Web (HTTP) Server Port and Telnet Server Port, on this page refer to the port numbers of the Netopia Gateway’s embedded admin-...
Page 80 Click . Type your speciﬁc data into the Pinhole Entries table of this page. Click Submit Click on the Add or Edit more Pinholes link. Click the button. Add the next Pinhole. Type the speciﬁc data for the second Pinhole.
Page 81 Configure Add or Edit more Pinholes Click on the link. Click the button. Add the next Pinhole. Type the speciﬁc data for the third Pinhole. ☛ NOTE: Note the following parameters for the “my-games” Pinhole: 1. The Protocol ID is UDP. 2.
Page 82: Ipmaps
IPMaps supports one-to-one Network Address Translation (NAT) for IP addresses assigned to servers, hosts, or speciﬁc computers on the LAN side of the Netopia Gateway. A single static or dynamic (DHCP) WAN IP address must be assigned to support other...
Page 83: Configure The Ipmaps Feature
What are IPMaps and how are they used? The IPMaps feature allows multi- ple static WAN IP addresses to be assigned to the Netopia Gateway. Static WAN IP addresses are used to support speciﬁc services, like a web server, mail server, or DNS server.
Page 84: Ipmaps Block Diagram
IPMaps Block Diagram The following diagram shows the IPMaps principle in conjunction with existing Netopia NAT operations: Netopia Gateway WAN Interface LAN Interface Static IP Addresses for IPMaps Applications 192.168.1.1 NAT/PAT Table 143.137.50.37 143.137.50.36 143.137.50.37 192.168.1.1 192.168.1.2 143.137.50.36 192.168.1.2 143.137.50.35 192.168.1.3...
Page 85: Default Server
Configure Link: Default Server This feature allows you to: • Direct your Gateway to forward all externally initiated IP trafﬁc (TCP and UDP protocols only) to a default host on the LAN. • Enable it for certain situations: – Where you cannot anticipate what port number or packet protocol an in-bound appli- cation might use.
Page 86: Typical Network Diagram
You can also use the LAN-side address of the Gateway, 192.168.1.x to access the web and telnet server. NAT Combination Application. Netopia’s NAT security feature allows you to con- ﬁgure a sophisticated LAN layout that uses both the Pinhole and Default Server capabili- ties.
Page 87: Ip-Passthrough
Configure With this topology, you conﬁgure the embedded administration ports as a ﬁrst task, fol- lowed by the Pinholes and, ﬁnally, the NAT Default Server. When using both NAT pinholes and NAT Default Server the Gateway works with the follow- ing rules (in sequence) to forward trafﬁc from the Internet to the LAN: If the packet is a response to an existing connection created by outbound trafﬁc from a LAN PC, forward to that station.
Page 88: A Restriction
The Host Hardware Address ﬁeld displays. Here you enter the MAC address of the desig- nated IP-Passthrough computer. • If this MAC address is not all zeroes, then it will use DHCP to set the LAN host's address to the (conﬁgured or acquired) WAN IP address. The MAC address must be six colon-delimited or dash-delimited sets of hex digits ('0' –...
Page 89: Differentiated Services
Differentiated Services conﬁgura- tion screen appears. Netopia Firmware Version 7.6 offers Differentiated Services (Diffserv) enhancements. These enhancements allow your Gateway to make Quality of Service (QoS) decisions about what path Internet trafﬁc, such as Voice over IP (VoIP), should travel across your network.
Page 90 You can then deﬁne Custom Flows. If your applications do not provide Quality of Service (QoS) control, Custom Flows allows you to deﬁne streams for some protocols, port ranges, and between speciﬁc end point addresses. • To deﬁne a custom ﬂow, click the button.
Page 91 Configure • Quality of Service (QoS) – This is the Quality of Service setting for the ﬂow, based on the TOS bit information. Select Expedite, Assure, or Off (default) from the pull-down menu. The following table outlines the TOS bit settings and behavior: QoS Setting TOS Bit Value Behavior...
Page 92: Dns
Link: Your Service Provider may maintain a Domain Name server. If you have the information for the DNS servers, enter it on the DNS page. If your Gateway is conﬁgured to use DHCP to obtain its WAN IP address, the DNS information is automatically obtained from that same DHCP Server.
Page 93 Configure Your Service Provider may, for certain services, want to provide conﬁguration from its DHCP servers to the computers on your LANs. In this case, the Gateway will relay the DHCP requests from your computers to a DHCP server in the Service Provider's network. Click the relay-agent and enter the IP address of the Service Provider's DHCP server in the Server Address ﬁeld.
Page 94: Radius Server
Link: RADIUS Server RADIUS servers allow external authentication of users by means of a remote authentica- tion database. The remote authentication database is maintained by a Remote Authentica- tion Dial-In User Service (RADIUS) server. In conjunction with Wireless User Authentication, you can use a RADIUS server database to authenticate users seeking access to the wire- less services, as well as the authorized user list maintained locally within the Gateway.
Page 95: Snmp
SNMP management station program on a local host to obtain information from an SNMP agent. In this case, the Netopia Gateway is an SNMP agent. Your Gateway supports SNMP-V1, with the exception of most sets (read-only and traps), and SNMP-V2.
Page 96 ☛ WARNING: SNMP presents you with a security issue. The community facility of SNMP behaves somewhat like a password. The community “public” is a well-known community name. It could be used to examine the conﬁgu- ration of your Gateway by your service provider or an uninvited reviewer.
Page 97: Igmp (Internet Group Management Protocol)
ﬁeld or sending out company newsletters to a distribution list. Since a router should not be used as a passive forwarding device, Netopia Routers use a protocol for forwarding multicasting: Internet Group Management Protocol (IGMP). Netopia Routers can use either IGMP Version 1 or Version 2.
Page 98 You can set the following options: • IGMP Snooping – checking this checkbox enables the Netopia Gateway to “listen in” to IGMP trafﬁc. The Gateway discovers multicast group membership for the purpose of restricting multicast transmissions to only those ports which have requested them. This helps to reduce overall network trafﬁc from streaming media and other bandwidth-inten-...
Page 99 Configure • Unsolicited Report Interval – the amount of time in seconds between repetitions of a particular computer’s initial report of membership in a group. The default unsolicited report interval is 10 seconds. Querier Version – select a version of the IGMP Querier from the pull-down menu: v1 or •...
Page 100: Upnp
PCs using UPnP can retrieve the Gateway’s WAN IP address, and automatically create NAT port maps. This means that applications that support UPnP, and are used with a UPnP- enabled Netopia Gateway, will not need application layer gateway support on the Netopia Gateway to work through NAT.
Page 101: Lan Management
TR-064 is a LAN-side DSL Gateway conﬁguration speciﬁcation. It is an extension of UPnP. It deﬁnes more services to locally manage the Netopia Gateway. While UPnP allows open access to conﬁgure the Gateway's features, TR-064 requires a password to execute any command that changes the Gateway's conﬁguration.
Page 102: Advanced -> Ethernet Bridge
Link: Advanced -> Ethernet Bridge The Netopia Gateway can be used as a bridge, rather than a router. A bridge is a device that joins two networks. As an Internet access device, a bridge connects the home com- puter directly to the service provider’s network equipment with no intervening routing func- tionality, such as Network Address Translation.
Page 103: Configuring For Bridge Mode
Configure Conﬁguring for Bridge Mode Browse into the Netopia Gateway’s web interface. Conﬁgure Click on the button in the upper Menu bar. Click on the link. The LAN page appears. In the box titled LAN IP Inter- face (Ethernet 100BT): Make note of the Ethernet IP Address and subnet mask.
Page 104 The Ethernet Bridge page appears. The appearance of this page varies, depending on your Gateway’s inter- faces. If available: a. Check the Enable Bridging on Port selection. (This may be Always On.) Submit b. Click If you want the Gateway to do both bridging and routing, check Enable Concurrent Bridging/Routing checkbox.
Page 105 ISP. If you ever need to get back into the Netopia Gateway again for management reasons, you will need to manually conﬁgure your machine to be in the same subnet as the Ethernet interface of the Netopia, since DHCP server is not operational in bridge mode.
Page 106: Vlan
Link: VLAN A Virtual Local Area Network (VLAN) is a network of computers that behave as if they are connected to the same wire even though they may be physically located on different seg- ments of a LAN. You set up VLANs by conﬁguring the Gateway software rather than hard- ware.
Page 107 Configure An example of multiple VLANs is shown below: To create a VLAN, click the button. The VLAN Entry page appears. You can create up to 32 VLANs, and you can also restrict any VLAN, and the computers on it, from administering the Gateway.
Page 108 VLAN id – This must be a unique identifying number between 1 and 4095. • VLAN Name – A descriptive name for the VLAN. • • VLAN Protocol – This ﬁeld is not editable; you can only associate ports with a VLAN. •...
Page 109 Configure For Netopia VGx technology models, separate Ethernet switch ports are displayed and may be conﬁgured. To enable any of them on this VLAN, select one, and click the button. Typically you will choose a physical port, such as an Ethernet port (example: ethernet1) or a wireless SSID (example: ssid1), and make the port routable by specifying lan- uplink.
Page 110 You can Add, Edit, or Delete your VLAN entries by returning to the VLANs page, and selecting the appropriate entry from the displayed list.
Page 111: System
Configure Link: System The System Name defaults to your Gateway's factory identiﬁer combined with its serial number. Some cable-oriented Service Providers use the System Name as an important identiﬁcation and support parameter. The System Name can be 1 – 255 characters long; it can include embedded spaces and special characters.
Page 112 • Syslog: Enable syslog logging in the system. • Syslog Host Name/IP Address: Enter the name or the IP Address of the host that should receive syslog messages. Facility: From the pull-down menu, select the Syslog facility to be used by the router •...
Page 113: Log Event Messages
Configure Log Event Messages Administration Related Log Messages 1. administrative This log-message is generated whenever the user attempts to access access attempted: the router's management interface. 2. administrative This log-message is generated whenever the user attempts to access access authenticated the router's management interface and is successfully authenticated and allowed: and allowed access to the management interface.
Page 114 DSL Log Messages (most common): 1. WAN: Data link This log message is generated when the DSL link comes up. activated at <Rate> Kbps (rx/tx) 2.WAN: Data link This log message is generated when the DSL link goes down. deactivated 3.
Page 115 Configure Access-related Log Messages 6. dropped - frag- This log-message is generated whenever a packet, traversing the mented packet: router, is dropped because it is fragmented, stateful inspection is turned ON on the packet's transmit or receive interface, and deny- fragment option is enabled.
Page 116: Internal Servers
Pinhole conﬁguration. Web (HTTP) Server Port: To reassign the port number used to access the Netopia embedded Web server, change this value to a value greater than 1024. When you next access the embedded Netopia Web server, append the IP address with <port number>, (e.g.
Page 117: List Of Supported Games And Software
Configure To select the games or software that you want to host for a speciﬁc PC, highlight the name(s) in the box on the left side of the screen. Click the button to select the soft- ware that will be hosted. To remove a game or software from the hosted list, highlight the game or software you Remove want to remove and click the...
Page 118 Buddy Phone Calista IP Phone CART Precision Racing, v 1.0 Citrix Metaframe/ICA Client Close Combat for Windows 1.0 Close Combat: A Bridge Too Far, v 2.0 Close Combat III: The Russian Combat Flight Sim: WWII Combat Flight Sim 2: WWII Front, v 1.0 Europe Series, v 1.0 Paciﬁc Thr, v 1.0...
Page 119: Rename A User(Pc)
Configure PPTP Quake II Quake III Rainbow Six RealAudio Return to Castle Wolfenstein Roger Wilco Rogue Spear ShoutCast Server SMTP SNMP SSH server StarCraft Starﬂeet Command StarLancer, v 1.0 Telnet TFTP Tiberian Sun: Command and Conquer Timbuktu Total Annihilation Ultima Online Unreal Tournament Server Urban Assault, v 1.0 VNC, Virtual Network Comput-...
Page 120: Clear Options
☛ NOTE: The new name given to a server is only known to Software Hosting. It is not used as an identiﬁer in other network functions, such as DNS or DHCP. Link: Clear Options To restore the factory conﬁguration of the Gateway, choose Clear Options. You may want to upload your conﬁguration to a ﬁle before performing this function.
Page 121: Time Zone
Configure Link: Time Zone Time Zone When you click the link, the Time Zone page appears. You can set your local time zone by selecting the number of hours your time zone is distant from Greenwich Mean Time (GMT +12 – -12) from the pull-down menu. This allows you to set the time zone for access controls and in general.
Page 122: Security
Security Button: Security The Security features are available by clicking on the Security toolbar button. Some items of this category do not appear when you log on as User.
Page 123: Passwords
Netopia Gateway settings from unauthorized display or modiﬁca- tion. • Admin level privileges let you display and modify all settings in the Netopia Gateway (Read/Write mode). The Admin level password is created when you ﬁrst access your Gateway.
Page 124 Netopia Gateway: Select the account type from the Username pull-down list. Choose from Admin or User. If you assigned a password to the Netopia Gateway previously, enter your Old Password current password in the ﬁeld. Enter your new password in the New Password ﬁeld.
Page 125: Firewall
BreakWater Basic Firewall’s three settings are: • ClearSailing ClearSailing, BreakWater's default setting, supports both inbound and outbound trafﬁc. It is the only basic ﬁrewall setting that fully interoperates with all other Netopia software features. SilentRunning • Using this level of ﬁrewall protection allows transmission of outbound trafﬁc on pre-con- ﬁgured TCP/UDP ports.
Page 126 Click on the radio button to select the protection level you want. Click Submit Changing the BreakWater setting does not require a restart to take effect. This makes it easy to change the setting “on the ﬂy,” as your needs change.
Page 127: Tips For Making Your Breakwater Basic Firewall Selection
Restore SilentRunning when ﬁnished. Basic Firewall Background As a device on the Internet, a Netopia Gateway requires an IP address in order to send or receive trafﬁc. The IP trafﬁc sent or received have an associated application port which is dependent on the nature of the connection request.
Page 128 Session Type --------------Port State----------------------- ftp data Enabled Disabled Disabled ftp control Enabled Disabled Disabled telnet external Enabled Disabled Disabled telnet Netopia server Enabled Disabled Disabled http external Enabled Disabled Disabled http Netopia server Enabled Disabled Disabled DHCP client Enabled Enabled...
Page 129 Security ☛ NOTE: The Gateway’s WAN DHCP client port in SilentRunning mode is enabled. This feature allows end users to continue using DHCP-served IP addresses from their Service Providers, while having no identiﬁable presence on the Internet.
Page 130: Ipsec
Link: IPSec IPSec When you click on the link, the IPSec conﬁguration screen appears. Your Gateway can support two mechanisms for IPSec tunnels: IPSec PassThrough supports Virtual Private Network (VPN) clients running on LAN- • connected computers. Normally, this feature is enabled. You can disable it if your LAN-side VPN client includes its own NAT interoperability option.
Page 131: Safeharbour Ipsec Vpn
Security SafeHarbour IPSec VPN SafeHarbour VPN IPSec Tunnel provides a single, encrypted tunnel to be terminated on the Gateway, making a secure tunnel available for all LAN- connected users. This imple- mentation offers the following: • Eliminates the need for VPN client software on individual PCs. •...
Page 132: Configuring A Safeharbour Vpn
A typical SafeHarbour conﬁguration is shown below: Conﬁguring a SafeHarbour VPN Use the following procedure to conﬁgure your SafeHarbour tunnel. Obtain your conﬁguration information from your network administrator. The tables “Parameter Descriptions” on page 136 describe the various parameters that may be required for your tunnel.
Page 133 Security Table 1: IPSec Tunnel Details Parameter Setup Worksheet Parameter Netopia Gateway Peer Gateway Name Peer Internal Network Peer Internal Netmask NAT Enable On/Off PAT Address Negotiation Method Main/Aggressive Local ID Type IP Address Subnet Hostname ASCII Local ID Address/Value...
Page 134 Be sure that you have SafeHarbour VPN enabled. SafeHarbour is a keyed feature. See “Install Keys” on page 184. for information con- cerning installing Netopia Software Feature Keys. Check the Enable SafeHarbour IPSec checkbox. Checking this box will automatically display the SafeHarbour IPSec Tunnel Entry parameters.
Page 135 Security Make the Tunnel Details entries. Enter or select the required set- tings. Refer to your “IPSec Tunnel Details Parameter Setup Work- sheet” on page 133.) Click Update Alert button appears. Click the Alert button. Save and Restart Click Your SafeHarbour IPSec VPN tun- nel is fully conﬁgured.
Page 136: Parameter Descriptions
Parameter Descriptions The following tables describe SafeHarbour’s parameters that are used for an IPSec VPN tunnel conﬁguration: Table 2: IPSec Configuration page parameters Field Description Name The Name parameter refers to the name of the conﬁgured tunnel. This is mainly used as an identiﬁer for the administrator. The Name parameter is an ASCII value and is limited to 31 characters.
Page 137 Security Table 3: IPSec Tunnel Details page parameters PAT Address If NAT is enabled, this ﬁeld appears. You can specify a Port Address Trans- lation (PAT) address or leave the default all-zeroes (if Xauth is enabled). If you leave the default. the address will be requested from the remote router and dynamically applied to the Gateway.
Page 138 Invalid SPI Enabling this allows the Gateway to re-establish the tunnel if either the Recovery Netopia Gateway or the peer gateway is rebooted. Soft MBytes Setting the Soft MBytes parameter forces the renegotiation of the IPSec Security Associations (SAs) at the conﬁgured Soft MByte value. The value can be conﬁgured between 1 and 1,000,000 MB and refers to data trafﬁc...
Page 139 Extended Authentication (XAuth), an extension to the Internet Key Exchange (IKE) protocol. The Xauth extension provides dual authentication for a remote user’s Netopia Gateway to establish a VPN, authorizing net- work access to the user’s central ofﬁce. IKE establishes the tunnel, and Xauth authenticates the speciﬁc remote user's Gateway.
Page 140: Stateful Inspection
Link: Stateful Inspection All computer operating systems are vulnerable to attack from outside sources, typically at the operating system or Internet Protocol (IP) layers. Stateful Inspection ﬁrewalls intercept and analyze incoming data packets to determine whether they should be admitted to your private LAN, based on multiple criteria, or blocked.
Page 141: Exposed Addresses
Security UDP no-activity time-out: The time in seconds after which a UDP session will be ter- • minated, if there is no trafﬁc on the session. • TCP no-activity time-out: The time in seconds after which an TCP session will be ter- minated, if there is no trafﬁc on the session.
Page 142 Add, Edit, or delete exposed addresses options are active only if NAT is disabled on a WAN interface. The hosts speciﬁed in exposed addresses will be allowed to receive inbound traf- ﬁc even if there is no corresponding outbound trafﬁc. •...
Page 143 Security Click the button to add a new range of exposed addresses. Edit You can edit a previously conﬁgured range by clicking the button, or delete the entry Delete entirely by clicking the button. All conﬁguration changes will trigger the Alert Icon. Click on the Alert icon.
Page 144: Stateful Inspection Options
Stateful Inspection Options Stateful Inspection Parameters are active on a WAN interface only if you enable them on your Gateway. • Stateful Inspection: To enable stateful inspection on this WAN interface, check the checkbox. Default Mapping to Router: This is disabled by default. This option will allow the •...
Page 145: Open Ports In Default Stateful Inspection Installation
Security Open Ports in Default Stateful Inspection Installation LAN (Private) WAN (Public) Port Protocol Description Interface Interface telnet Bootps Bootpc HTTP Netbios-ns Netbios-dgm SNMP ISAKMP Router...
Page 146: Firewall Tutorial
Firewall Tutorial General ﬁrewall terms ☛ Note: Breakwater Basic Firewall (see “BreakWater Basic Firewall” on page 125) does not make use of the packet ﬁlter support and can be used in addition to ﬁltersets Filter rule: A ﬁlter set is comprised of individual ﬁlter rules. Filter set: A grouping of individual ﬁlter rules.
Page 147: Basic Protocol Types
Firewall Tutorial Protocol DATA User Data This header information is what the packet ﬁlter uses to make ﬁltering decisions. It is important to note that a packet ﬁlter does not look into the IP data stream (the User Data from above) to make ﬁltering decisions. Basic protocol types TCP: Transmission Control Protocol.
Page 148: Firewall Design Rules
Example TCP/UDP Ports TCP Port Service UDP Port Service 20/21 SNMP Telnet TFTP SMTP News Firewall design rules There are two basic rules to ﬁrewall design: • “What is not explicitly allowed is denied.” • “What is not explicitly denied is allowed.” The ﬁrst rule is far more secure, and is the best approach to ﬁrewall design.
Page 149: Implied Rules
Firewall Tutorial and a packet goes through these rules destined for FTP, the packet would forward through the ﬁrst rule (WWW), go through the second rule (FTP), and match this rule; the packet is allowed through. If you had this ﬁlter set for example..Allow WWW access;...
Page 150: Example Filter Set Page
Example ﬁlter set page This is an example of the Netopia ﬁlter set page:...
Page 151: Filter Basics
A host address can be entered, but the applied subnet mask must be 32 bits (255.255.255.255). Netopia Firmware Version 7.6 has the ability to compare source and destination TCP or UDP ports. These options are as follows:...
Page 152: Example Filters
Incoming packet has the source address of 200.1.1.184. This incoming IP packet has a source IP address that does not match the network address in the Source IP Address ﬁeld in Netopia Firmware Version 7.6. This rule will forward this packet because the packet does not match.
Page 153: Example 4
Firewall Tutorial Example 4 Filter Rule: 200.1.1.96 (Source IP Network Address) 255.255.255.240 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.1.1.104. This rule does match and this packet will not be forwarded. Example 5 Filter Rule: 200.1.1.96...
Page 154: Packet Filter
Netopia Firmware Version 7.6’s packet ﬁlters are designed to provide security for the Inter- net connections made to and from your network. You can customize the Gateway’s ﬁlter...
Page 155: What's A Filter And What's A Filter Set
Firewall Tutorial admit or refuse TCP/IP connections from certain remote networks and speciﬁc hosts. You will also use ﬁlters to screen particular types of connections. This is commonly called ﬁre- walling your network. Before creating ﬁlter sets, you should read the next few sections to learn more about how these powerful security tools work.
Page 156: Filter Priority
Filter priority Continuing the customs inspectors analogy, imagine the packet inspectors lined up to examine a package. If the package matches the ﬁrst inspector’s criteria, the package is either rejected or passed on to its destination, depending on the ﬁrst inspector’s particular orders. In this case, the package first is never seen by the remaining inspectors.
Page 157: A Filtering Rule
199.211.211.17. If a match occurs, the packet is blocked. Here is what this rule looks like when implemented as a ﬁlter in Netopia Firmware Version 7.6: To understand this particular ﬁl- ter, look at the parts of a ﬁlter. Parts of a ﬁlter A ﬁlter consists of criteria based...
Page 158: Port Numbers
Port numbers A ﬁlter can also match a packet’s port number attributes, but only if the ﬁlter’s protocol type is set to TCP or UDP, since only those protocols use port numbers. The ﬁlter can be conﬁgured to match the following: •...
Page 159: Other Filter Attributes
Firewall Tutorial Less Than: For the ﬁlter to match, the packet’s port number must be less than the port • number speciﬁed in the ﬁlter. • Less Than or Equal: For the ﬁlter to match, the packet’s port number must be less than or equal to the port number speciﬁed in the ﬁlter.
Page 160: Filtering Example #1
Fwd: Shows whether the ﬁlter forwards (Yes) a packet or discards (No) it when there’s • a match. Src-IP: The packet source IP address to match. • • Src-Mask: The packet source subnet mask to match. Dst-IP: The packet destination IP address to match. •...
Page 161 Firewall Tutorial • Source IP Address = 199.211.211.17 • Source IP address mask = 255.255.255.255 • Destination IP Address = 0.0.0.0 • Destination IP address mask = 0.0.0.0 • Using the tables on page 158, ﬁnd the destination port and protocol numbers (the local Telnet port): •...
Page 162: Filtering Example #2
Filtering example #2 Suppose a ﬁlter is conﬁgured to block all incoming IP packets with the source IP address of 200.233.14.0, regardless of the type of connection or its destination. The ﬁlter would look like this: This ﬁlter blocks any packets coming from a remote network with the IP network address 200.233.14.0.
Page 163: Design Guidelines
Firewall Tutorial Design guidelines Careful thought must go into designing a new ﬁlter set. You should consider the following guidelines: • Be sure the ﬁlter set’s overall purpose is clear from the beginning. A vague purpose can lead to a faulty set, and that can actually make your network less secure. •...
Page 164: Working With Ip Filters And Filter Sets
Working with IP Filters and Filter Sets To work with ﬁlters and ﬁlter sets, begin by accessing the ﬁlter set pages. ☛ NOTE: Make sure you understand how ﬁlters work before attempting to use them. Read the section “Packet Filter” on page 154.
Page 165: Adding Filters To A Filter Set
Working with IP Filters and Filter Sets Enter new name for the ﬁlter set, for example Filter Set 1. Submit To save the ﬁlter set, click the button. The saved ﬁlter set is empty (contains no ﬁlters), but you can return to it later to add ﬁlters (see “Adding ﬁlters to a ﬁlter set”).
Page 166 The Netopia Router Packets in Netopia Firmware Version 7.6 pass through an input ﬁlter if they originate from the WAN and through an output ﬁlter if they’re being sent out to the WAN. The process for adding input and output ﬁlters is exactly the same. The main difference between the two involves their reference to source and destination.
Page 167 Working with IP Filters and Filter Sets The Filter Set page appears. ☛ Note: There are two buttons in this page, one for input ﬁlters and one for out- put ﬁlters. In this section, you’ll learn how to add an input ﬁlter to a ﬁlter set. Adding an output ﬁlter works exactly the same way, providing you keep the dif- ferent source and destination perspectives in mind.
Page 168 If you want the ﬁlter to forward packets that match its criteria to the desti- Forward nation IP address, check the checkbox. If Forward is unchecked, packets matching the ﬁlter’s criteria will be discarded. Enter the Source IP address this ﬁlter will match on. You can enter a subnet or a host address.
Page 169: Viewing Filters
Working with IP Filters and Filter Sets If Protocol Type is set to TCP or UDP, the settings for port comparison will appear. These settings only take effect if the Protocol Type is TCP or UDP. From the Source Port Compare pull-down menu, choose a comparison method for the ﬁlter to use on a packet’s source port number.
Page 170: Modifying Filters
Modifying ﬁlters Edit To modify a ﬁlter, select a ﬁlter from the table and click the button. The Rule Entry page appears. The parameters in this page are set in the same way as the ones in the orig- inal Rule Entry page (see “Adding ﬁlters to a ﬁlter set”...
Page 171: Associating A Filter Set With An Interface
Associating a Filter Set with an Interface Associating a Filter Set with an Interface Once you have created a ﬁlter set, you must associate it with an interface in order for it to be effective. Depending on its application, you can associate it with either the WAN (usu- ally the Internet) interface or the LAN.
Page 172 You can repeat this process for both the WAN and LAN interfaces, to associate your ﬁlter sets. When you return to the Filter Sets page, it will display your interface associations.
Page 173: Policy-Based Routing Using Filtersets
Policy-based Routing using Filtersets Policy-based Routing using Filtersets Netopia Firmware Version 7.6 offers the ability to route IP packets using criteria other than the destination IP address. This is called policy-based routing. You specify the routing criteria and routing information by using IP ﬁltersets to determine the forwarding action of a particular ﬁlter.
Page 174 Idle Reset checkbox unchecked. Example: You want packets with the TOS low latency bit to go through VC 2 (via gateway 127.0.0.3 – the Netopia Gateway will use 127.0.0.x, where x is the WAN port + 1) instead of your normal gateway.
Page 175 Policy-based Routing using Filtersets conﬁgure one ﬁlter to match the ﬁrst type of packet and apply Force Routing. A subsequent ﬁlter is required to match and forward all other packets. Management IP trafﬁc If the Force Routing ﬁlter is applied to source IP addresses, it may inadvert- ently block communication with the router itself.
Page 176: Security Log
Security Monitoring is a keyed feature. See page 184 for information concerning installing Netopia Software Feature Keys. Security Monitoring detects security-related events, including common types of malicious attacks, and writes them to the security log ﬁle. Using the Security Monitoring Log You can view the Security Log at any time.
Page 177 Policy-based Routing using Filtersets The capacity of the security log is 100 security alert messages. When the log reaches capacity, subsequent messages are not captured, but they are noted in the log entry count.
Page 178: Timestamp Background
Timestamp Background During bootup, to provide better log information and to support improved troubleshooting, a Netopia Gateway acquires the National Institute of Standards and Technology (NIST) Uni- versal Coordinated Time (UTC) reference signal, and then adjusts it for your local time zone.
Page 179: Install
Install Install Button: Install From the Install toolbar button you can Install new Operating System Software and Feature Keys as updates become available. On selected models, you can install a Secure Sockets Layer (SSL V3.0) certiﬁcate from a trusted Certiﬁcation Authority (CA) for authentication purposes. If this feature is available Install Certiﬁcate on your Gateway, the link will appear in the Install page as shown.
Page 180: Install Software
You install a new oper- ating system image in your unit from the Install Operating System Software page. For this process, the computer you are using to connect to the Netopia Gateway must be on the same local area network as the Netopia Gateway.
Page 181: Step 1: Required Files
When you download your ﬁrmware upgrade from the Netopia website, be sure to download the latest User Guide PDF ﬁles. These are also posted on the Netopia website in the Docu- mentation Center. Conﬁrm Netopia Firmware Image Files The Netopia ﬁrmware Image ﬁle is speciﬁc to the model and the product identiﬁcation num-...
Page 182 Enter the ﬁlename into the text box by using one of these techniques: The Netopia ﬁrmware ﬁle name begins with a shortened form of the version number and ends with the sufﬁx “.bin” (for “binary”). Example: nta760.bin Open a. Click the Browse button, select the ﬁle you want, and click -or- b.
Page 183 Your Netopia Gateway restarts with its new image. Verify the Netopia Firmware Release To verify that the Netopia ﬁrmware image has loaded successfully, use the following steps: Open a web connection to your Netopia Gateway from the computer on your LAN and return to the Home page.
Page 184: Install Keys
Gateway is restarted, the new feature's functionality becomes enabled. Use Netopia Software Feature Keys Netopia Gateway users obtain advanced product functionality by installing a software fea- ture key. This concept utilizes a specially constructed and distributed keycode (referred to as a feature key) to enable additional capability within the unit.
Page 185 Install Click the Install Key button. Click the Restart toolbar button. The Conﬁrmation screen appears.
Page 186: To Check Your Installed Features
Click the Restart the Gateway link to conﬁrm. To check your installed features: Click the Install toolbar button. Click the list of features link.
Page 187 Install The System Status page appears with the information from the features link displayed below. You can check that the feature you just installed is enabled.
Page 188: Install Certificate
Link: Install Certiﬁcate Secure Sockets Layer (SSL) is a protocol for transmitting private information over the Inter- net. SSL uses two keys to encrypt data: a public key known to everyone and a private or secret key known only to the recipient of the message. SSL certiﬁcates are issued by trusted Certiﬁcation Authorities (CAs).
Page 189 Install The Install Certiﬁcate page appears. Browse to the location where you have saved your certiﬁcate and select the ﬁle, or type the full path. Click the Install Certiﬁcate button. Restart your Gateway.
Page 191: Chapter 4 Basic Troubleshooting
CHAPTER 4 Basic Troubleshooting This section gives some simple suggestions for troubleshooting problems with your Gate- way’s initial conﬁguration. Before troubleshooting, make sure you have • read the Quickstart Guide; • plugged in all the necessary cables; and • set your PC’s TCP/IP controls to obtain an IP address automatically.
Page 192: Status Indicator Lights
Status Indicator Lights The ﬁrst step in troubleshooting is to check the status indicator lights (LEDs) in the order outlined below. Netopia Gateway 2240N/2241N status indicator lights Internet Power Ethernet Action Green when power is on. if device malfunctions. Power...
Page 193 Status Indicator Lights Netopia Gateway 2246N status indicator lights ETHER NET Internet Power Ethernet 1, 2, 3, 4 Action Green when power is on. if device malfunctions. Power Solid green when connected. Flash green when there is activity on Ethernet 1, 2, 3, 4 the LAN.
Page 194 Netopia Gateway 2247NWG status indicator lights ETHER NET Power Internet Ethernet 1, 2, 3, 4 Wireless Action Green when power is on. if device malfunctions. Power Solid green when connected. Flash green when there is activity on Ethernet 1, 2, 3, 4 the LAN.
Page 195 Status Indicator Lights Netopia Gateway 3340(N) status indicator lights Ethernet Link: Solid green when connected Ethernet Traffic: Flashes green when there is activity on the LAN DSL Traffic: Blinks green when traffic is sent/received over the WAN Power: Solid green...
Page 196 Netopia Gateway 3341(N), 3351(N) status indicator lights Ethernet Link: Solid green when connected Ethernet Traffic: Flashes green when there is activity on the LAN DSL Traffic: Blinks green when traffic is sent/received over the WAN Power: Solid green when the power is on...
Page 197 Status Indicator Lights Netopia Gateway 3342/3342N, 3352/3352N status indicator lights USB: Solid green when USB is connected otherwise, not lit DSL: Blinking green with no line attached or training, solid green when trained with the DSL line. ☛ Special patterns: •...
Page 198 Netopia Gateway 3346(N), 3356(N) status indicator lights Power: Solid green when the power is on DSL Sync: Blinks green with no line attached or training, Solid green when trained with the DSL line LAN 1, 2, 3, 4: Solid green...
Page 199 Status Indicator Lights Netopia Gateway 3347W, 3347 (N) WG status indicator lights Power Green when power is applied DSL SYNC Flashes green when training Solid green when trained Flashes green for DSL traffic LAN 1, 2, 3, 4 Solid green when connected to each port on the LAN.
Page 200: Front View
Netopia Gateway MiAVo status indicator lights Front View Power - Green when power is on. DSL - Flashes green when training Solid green when trained Ethernet 1, 2, 3, 4 - Solid green when connected. Flash green when there is activity on the LAN.
Page 201: Led Function Summary Matrix
Status Indicator Lights LED Function Summary Matrix Flashing Unlit Solid Green Solid Red Green No power Power on System failure Power No signal USB port con- Activity on the USB Active nected to PC USB cable No signal DSL line synched Attempting to DSL Sync with the DSLAM...
Page 202 Note: EN Link light is inactive if only using USB. Make sure the you are using the Ethernet cable, not the DSL cable. The Ethernet cable is thicker than the standard telephone cable. Make sure the Ethernet cable is securely plugged into the Ethernet jack on the PC.
Page 203: Factory Reset Switch
Keep in mind that all of your settings will need to be reconﬁgured. If you don't have a password, the only way to access the Netopia Gateway is the following: Referring to the following diagram, ﬁnd the round Reset Switch opening.
Page 204 3397GP Power Off/On Factory Reset Switch: 2247NWG Push to clear all settings 3347W/3357W Factory Reset Switch: Power Off / On Push to clear all settings 2240N Factory Reset Switch: Push to clear all settings Factory Reset Switch: Push to clear all settings 3341/3351 2241N Ethernet...
Page 205: Chapter 5 Advanced Troubleshooting
CHAPTER 5 Advanced Troubleshooting Advanced Troubleshooting can be accessed from the Gateway’s Web UI. Point your browser http://192.168.1.254 . The main page displays the device status. (If this does not make the Web UI appear, then do a release and renew in Windows networking to see what the Gateway address really is.)
Page 206: Home Page
Home Page The home page displays basic information about the Gateway. This includes the ISP User- name, Connection Status, Device Address, Remote Gateway Address, DNS-1, and DNS-2. If you are not able to connect to the Internet, verify the following: Item Description Local WAN IP Address...
Page 207 Item Description Status of Connection ‘Waiting for DSL’ is displayed while the Gateway is training. This should change to ‘Up’ within two minutes. If not, make sure an RJ-11 cable is used, the Gateway is connected to the correct wall jack, and the Gateway is not plugged into a micro ﬁlter.
Page 208: Expert Mode
Item Description Date & Time If this is blank, you likely lack a network connection, or your NTP server information is incorrect. If all of the above seem correct, then access Expert Mode by clicking the Expert Mode link. Button: Troubleshoot Expert Mode Expert Mode has advanced troubleshooting tools that are used to pinpoint the exact source of a problem.
Page 209: System Status
Link: System Status In the system status screen, there are several utilities that are useful for troubleshooting. Some examples are given in the following pages.
Page 210: Ports: Ethernet
Link: Ports: Ethernet The Ethernet port selection shows the trafﬁc sent and received on the Ethernet interface. There should be frames and bytes on both the upstream and downstream sides. If there are not, this could indicate a bad Ethernet cable or no Ethernet connection. Below is an example: Ethernet Driver Statistics - 10/100 Ethernet Type: 100BASET...
Page 211: Ports: Dsl
Link: Ports: DSL The DSL port selection shows the state of the DSL line, whether it is up or down and how many times the Gateway attempted to train. The state should indicate ‘up’ for a working conﬁguration. If it is not, check the DSL cable and make sure it is plugged in correctly and not connected to a micro ﬁlter.
Page 212: Ip Interfaces
Link: IP: Interfaces The IP interfaces selection shows the state and conﬁguration information for your IP LAN and WAN interfaces. Below is an example: IP interfaces: Ethernet 100BT: ( up broadcast default rip-send v1 rip-receive v1 ) inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 physical address 00-00-00-00-00-00 mtu 1500 PPP over Ethernet vcc1: ( up address-mapping broadcast default admin-disabled rip-send v1 rip-receive v1 )
Page 213: Dsl: Circuit Configuration
Link: DSL: Circuit Conﬁguration The DSL Circuit Conﬁguration screen shows the trafﬁc sent and received over the DSL line as well as the trained rate (upstream and downstream) and the VPI/VCI. Verify trafﬁc is being sent over the DSL line. If not, check the cabling and make sure the Gateway is not connected to a micro ﬁlter.
Page 214: System Log: Entire
IP address server initialization complete 00:00:00:00 L4 BR: Using saved configuration options 00:00:00:00 L4 BR: Netopia SOC OS version 7.3.0 (build r0) 00:00:00:00 L4 BR: Netopia-3000/9495032 (Netopia-3000, rev 1), PID 1205 00:00:00:00 L4 BR: last install status: Firmware installed successfully...
Page 215: Diagnostics
Check PPP connect to PPPOE (vcc1) PASS Check IP connect to PPP (vcc1) PASS Pinging Gateway PASS ==== Checking Miscellaneous Check DNS- Query for netopia.com : SKIPPED Ping DNS Server Primary IP Address : SKIPPED TEST DONE The following table summarizes the possible results. CODE...
Page 216: Network Tools
To use the NSLookup capability, type an address (domain name or IP address) in the text box and click the NSLookup button Example: Show the IP Address for grosso.com. Server : controller2.netopia.com Address : 143.137.137.9 Name : www.grosso.com Address : 192.150.14.120...
Page 217 PING: The network tools section sends a PING from the Gateway to either the LAN or WAN to verify connectivity. A PING could be either an IP address (163.176.4.32) or Domain Name (www.netopia.com). To use the Ping capability, type a destination address (domain name or IP...
Page 218 Below are some speciﬁc tests: Action If PING is not successful, possible causes are: From the Gateway's Network Tools page: Ping the internet default gateway IP DSL is down, DSL or ATM settings are incorrect; Gate- address way’s IP address or subnet mask are wrong; gateway router is down.
Page 219 Example: Show the path to the grosso.com site. Result: It took 20 hops to get to the grosso.com web site.
Page 221: Chapter 6 Command Line Interface
The Netopia Gateway operating software includes a command line interface (CLI) that lets you access your Netopia Gateway over a telnet connection. You can use the command line interface to enter and update the unit’s conﬁguration settings, monitor its performance, and restart it.
Page 222: Overview
Overview The CLI has two major command modes: SHELL and CONFIG. Summary tables that list the commands are provided below. Details of the entire command set follow in this sec- tion. SHELL Commands Command Status and/or Description to send ARP request atmping to send ATM OAM loopback clear...
Page 223 Overview CONFIG Commands Command Verbs Status and/or Description delete Delete conﬁguration list data help Help command option save Save conﬁguration data script Print conﬁguration data Set conﬁguration data validate Validate conﬁguration settings view View conﬁguration data Keywords ATM options (DSL only) bridge Bridge options dhcp...
Page 224: Starting And Ending A Cli Session
Telnet. telnet <ip_address> You must know the IP address of the Netopia Gateway before you can make a telnet con- nection to it. By default, your Netopia Gateway uses 192.168.1.254 as the IP address for its LAN interface. You can use a Web browser to conﬁgure the Netopia Gateway IP address.
Page 225: Saving Settings
SHELL Prompt When you are in SHELL mode, the CLI prompt is the name of the Netopia Gateway followed by a right angle bracket (>). For example, if you open a CLI connection to the Netopia Gate- Netopia-3000/9437188> way named “Netopia-3000/9437188,” you would see as your CLI prompt.
Page 226: Shell Commands
Sends an Address Resolution Protocol (ARP) request to match the nnn.nnn.nnn.nnn IP address to an Ethernet hardware address. clear [yes] Clears the conﬁguration settings in a Netopia Gateway. If you do not use the optional qualiﬁer, you are prompted to conﬁrm the clear command.
Page 227 The test timed out without producing a result. Try running the test again. download [ server_address ] [ ﬁlename ] [conﬁrm] This command installs a ﬁle of conﬁguration parameters into the Netopia Gateway from a TFTP (Trivial File Transfer Protocol) server. The TFTP server must be accessible on your Ethernet network.
Page 228 Adds the message in the message_string argument to the Netopia Gateway diagnostic log. loglevel [ level ] Displays or modiﬁes the types of log messages you want the Netopia Gateway to record. If you enter the loglevel command without the optional level argument, the command line interface displays the current log level setting.
Page 229 DNS information. ping [-s size ] [-c count ]{ hostname | ip_address } Causes the Netopia Gateway to issue a series of ICMP Echo requests for the device with the speciﬁed name or IP address. ping •...
Page 230: Reset Arp
Resets the Asynchronous Transfer Mode (ATM) statistics. reset crash Clears crash-dump information, which identiﬁes the contents of the Netopia Gateway regis- ters at the point of system malfunction. reset dhcp server Clears the DHCP lease table in the Netopia Gateway.
Page 231 SHELL Commands reset ipmap Clears the IPMap table (NAT). reset log Rewinds the diagnostic log display to the top of the existing Netopia Gateway diagnostic log. The reset log command does not clear the diagnostic log. The next show log com- mand will display information from the beginning of the log ﬁle.
Page 232: Show Diffserv
Displays the most recent crash information, if any, for your Netopia Gateway. show dhcp agent Displays DHCP relay-agent leases. show dhcp server leases Displays the DHCP leases stored in RAM by your Netopia Gateway.
Page 233 Displays the LAN Host Discovery Table of hosts on the wired or wireless LAN, and whether or not they are currently online. show ip routes Displays the IP routes stored in your Netopia Gateway. show ip state-insp Displays whether stateful inspection is enabled on an interface or not, exposed addresses and blocked packet statistics because of stateful inspection.
Page 234: Show Log
Displays the current status of a Netopia Gateway, the device's hardware and software revi- sion levels, a summary of errors encountered, and the length of time the Netopia Gateway has been running since it was last restarted. Identical to the status command.
Page 235 SHELL Commands telnet { hostname | ip_address } [ port ] Lets you open a telnet connection to the speciﬁed host through your Netopia Gateway. • The hostname argument is the name of the device to which you want to connect; for telnet ftp.netopia.com...
Page 236: Wan Commands
Use the segment argument to ping a neighbor switch. Use the end-to-end argument to ping a remote end node. reset dhcp client release [ vcc-id ] Releases the DHCP lease the Netopia Gateway is currently using to acquire the IP settings for the speciﬁed DSL port. The vcc-id identiﬁer is an “index”...
Page 237: About Config Commands
) at the CLI SHELL prompt. CONFIG Mode Prompt When you are in CONFIG mode, the CLI prompt consists of the name of the Netopia Gate- way followed by your current node in the hierarchy and two right angle brackets (>>). For conﬁg...
Page 238 Netopia-3000/9437188 (top)>> quit Netopia-3000/9437188 > • Moving from to a subnode — You can navigate from the top node to a subnode by entering the node name (or the signiﬁcant letters of the node name) at the CONFIG prompt and pressing R .
Page 239: Entering Commands In Config Mode
About CONFIG Commands Entering Commands in CONFIG Mode CONFIG commands consist of keywords and arguments. Keywords in a CONFIG command specify the action you want to take or the entity on which you want to act. Arguments in a CONFIG command specify the values appropriate to your site. For example, the CONFIG command set ip ethernet A ip_address ethernet A...
Page 240: Guidelines: Config Commands
Step Mode: A CLI Conﬁguration Technique The Netopia Gateway command line interface includes a step mode to automate the pro- cess of entering conﬁguration settings. When you use the CONFIG step mode, the com- mand line interface prompts you for all required and optional information.
Page 241: Validating Your Configuration
Error: Subnet mask is incorrect Global Validation did not pass inspection! You can use the validate command to verify your conﬁguration settings at any time. Your Netopia Gateway automatically validates your conﬁguration any time you save a modi- ﬁed conﬁguration.
Page 242: Config Commands
You can use the CLI to set up each ATM virtual circuit. set atm option {on | off } Enables the WAN interface of the Netopia Gateway to be conﬁgured using the Asynchro- nous Transfer Mode (ATM) protocol. set atm [vcc n ] option {on | off } Selects the virtual circuit for which further parameters are set.
Page 243 CONFIG Commands the raw WAN (DSL) bit rate. The Maximum Burst Size (MBS) is the number of cells that can be sent at the PCR rate, after which the PVC must fall back to the SCR rate. set atm [vcc n ] qos sustained-cell-rate { 1 ... n } If QoS class is set to vbr, then specify the sustained-cell-rate that should apply to the speciﬁed virtual circuit.
Page 244: Bridging Settings
Bridging lets the Netopia Gateway use MAC (Ethernet hardware) addresses to forward non- TCP/IP trafﬁc from one network to another. When bridging is enabled, the Netopia Gateway maintains a table of up to 512 MAC addresses. Entries that are not used within 30 sec- onds are dropped.
Page 245: Dhcp Settings
A device that acquires its IP address and other TCP/IP conﬁguration settings from the Netopia Gateway can use the information for a ﬁxed period of time (called the DHCP lease). Common Commands set dhcp option { off | server | relay-agent } Enables or disables DHCP services in the Netopia Gateway.
Page 246 , speciﬁes the last address in the DHCP address range. set dhcp lease-time lease-time If you selected server speciﬁes the default length for DHCP leases issued by the Netopia Gateway. Enter lease time in dd:hh:mm:ss (day/hour/minute/second) format. set dhcp server-address ip_address If you selected relay-agent , speciﬁes the IP address of the relay agent server.
Page 247: Dmt Settings
CONFIG Commands DMT Settings DSL Commands set dmt type [ lite | dmt | ansi | multi | adsl2 | adsl2+ | readsl2 | adsl2anxm | adsl2+anxm ] Selects the type of Discrete Multitone (DMT) asynchronous digital subscriber line (ADSL) protocol to use for the WAN interface.
Page 248: Domain Name System Settings
auto - The device will scan for standard telephone service (POTS). If it ﬁnds POTS, it dis- • ables metallic termination. If it does not ﬁnd POTS during the search period, then metal- lic termination is enabled. disabled - There is no POTS detection, and metallic termination is disabled. •...
Page 249: Igmp Settings
CONFIG Commands rent dynamically-assigned IP address. This allows you to get to the IP address assigned to your Gateway, even though your actual IP address may change as a result of a PPPoE con- nection to the Internet. set dynamic-dns option [ off | dyndns.org ] set dynamic-dns ddns-host-name myhostname .dyndns.org set dynamic-dns ddns-user-name myusername set dynamic-dns ddns-user-password myuserpassword...
Page 250: Ip Settings
Enables or disables TCP/IP services in the Netopia Gateway. You must enable TCP/IP ser- vices before you can enter other TCP/IP settings for the Netopia Gateway. If you turn off TCP/IP services and save the new conﬁguration, the Netopia Gateway clears its TCP/IP settings.
Page 251 { admin-disabled | none } Speciﬁes restrictions on the types of trafﬁc the Netopia Gateway accepts over the DSL vir- tual circuit. The admin-disabled argument means that access to the device via telnet, web, and SNMP is disabled. RIP and ICMP trafﬁc is still accepted. The none argument means that all trafﬁc is accepted.
Page 252: Ethernet Lan Settings
A address ip_address Assigns an IP address to the Netopia Gateway on the local area network. The IP address you assign to the local Ethernet interface must be unique on your network. By default, the Netopia Gateway uses 192.168.1.254 as its LAN IP address.
Page 253 If you specify v2-MD5, you must also specify a rip-send-key. Keys are ASCII strings with a maximum of 31 characters, and must match the other router(s) keys for proper operation of MD5 support. Depending on your network needs, you can conﬁgure your Netopia Gateway to support RIP- 1, RIP-2, or RIP-2MD5.
Page 254: Default Ip Gateway Settings
Speciﬁes how the Netopia Gateway should route information to the default Gateway. If you select ip-address, you must enter the IP address of a host on a local or remote network. If you specify ppp, the Netopia unit uses the default gateway being used by the remote PPP peer.
Page 255 Assigns an IP address to the virtual PPP interface. If you specify an IP address other than 0.0.0.0, your Netopia Gateway will not negotiate its IP address with the remote peer. If the remote peer does not accept the IP address speciﬁed in the ip_address argument as valid, the link will not come up.
Page 256 [ vccn ] rip-send { off | v1 | v2 | v1-compat | v2-MD5 } Speciﬁes whether the Netopia Gateway unit should use Routing Information Protocol (RIP) broadcasts to advertise its routing tables to routers on the other side of the PPP link. An extension of the original Routing Information Protocol (RIP-1), RIP Version 2 (RIP-2) expands the amount of useful information in the packets.
Page 257: Static Arp Settings
MAC addresses. Unlike dynamic ARP table entries, static ARP table entries do not time out. You can conﬁgure as many as 16 static ARP table entries for a Netopia Gateway. Use the following commands to add static ARP entries to the Netopia Gateway static ARP table:...
Page 258: Ip Prioritization
IP Prioritization set ip prioritize [ off | on ] Allows you to support trafﬁc that has the TOS bit set. This defaults to off. Differentiated Services (DiffServ) The commands in this section are supported beginning with Firmware Version 7.4.2. set diffserv option [ off | on ] Turns the DiffServ option off (default) or on.
Page 259 CONFIG Commands set diffserv custom-ﬂows name name protocol [ TCP | UDP | ICMP | other ] direction [ outbound | inbound | both ] start-port [ 0 - 49151 ] end-port [ 0 - 49151 ] inside-ip inside-ip-addr inside-ip-mask inside-ip-netmask outside-ip outside-ip-addr outside-ip-mask outside-ip-netmask qos [ off | assure | expedite ]...
Page 260: Sip Passthrough
PPP link may make maintenance of dynamic routes problematic. You can conﬁgure as many as 32 static IP routes for a Netopia Gateway. Use the following commands to maintain static routes to the Netopia Gateway routing table:...
Page 261 Speciﬁes the IP address of the Gateway for the static route. The default Gateway must be located on a network connected to the Netopia Gateway conﬁgured interface. set ip static-routes destination-network net_address metric integer Speciﬁes the metric (hop count) for the static route.
Page 262: Ipmaps Settings
Network Address Translation (NAT) Default Settings NAT default settings let you specify whether you want your Netopia Gateway to forward NAT trafﬁc to a default server when it doesn’t know what else to do with it. The NAT default host function is useful in situations where you cannot create a speciﬁc NAT pinhole for a trafﬁc...
Page 263: Network Address Translation (Nat) Pinhole Settings
NAT pinholes let you pass speciﬁc types of network trafﬁc through the NAT interfaces on the Netopia Gateway. NAT pinholes allow you to route selected types of network trafﬁc, such as FTP requests or HTTP (Web) connections, to a speciﬁc host behind the Netopia Gateway transparently.
Page 264: Pppoe /Pppoa Settings
[ 0 - 65535 ] Speciﬁes the port number your Netopia Gateway should use when forwarding trafﬁc of the speciﬁed type. Under most circumstances, you would use the same number for the exter- nal and internal port.
Page 265 [vccn] lcp-echo-requests { on | off } Speciﬁes whether you want your Netopia Gateway to send LCP echo requests. You should turn off LCP echoing if you do not want the Netopia Gateway to drop a PPP link to a nonre- sponsive peer.
Page 266: Configuring Port Authentication
[vccn] time-out integer If you speciﬁed a connection type of instant-on, speciﬁes the number of seconds, in the range 30 - 3600, with a default value of 300, the Netopia Gateway should wait for commu- nication activity before terminating the PPP link.
Page 267: Ethernet Port Settings
CONFIG Commands CHAP and specify the same name and secret on the Netopia Gateway before the link can be established. set ppp module [vccn] port-authentication option [ off | on | pap-only | chap-only ] Specifying on turns both PAP and CHAP on, or you can select PAP or CHAP. Specify the...
Page 268 set preference more lines Speciﬁes how many lines of information you want the command line interface to display at one time. The lines argument speciﬁes the number of lines you want to see at one time. The range is 1-65535. By default, the command line interface shows you 22 lines of text before displaying the prompt: More …[y|n] ?.
Page 269: Port Renumbering Settings
For example, if you set up a NAT pinhole to forward network trafﬁc on Port 80 (HTTP) to another host, you would have to tell the Netopia Gateway to listen for conﬁguration connection requests on a port number other than 80, such as 6080.
Page 270: Security Settings
When connecting the Netopia unit in a telecommuting scenario, the corporate VPN settings will dictate the settings to be used in the Netopia unit. If a parameter has not been speci- ﬁed from the other end of the tunnel, choose the default unless you fully understand the ramiﬁcations of your parameter choice.
Page 271 CONFIG Commands set security ipsec tunnels name "123" tun-enable (on) {on | off} This enables this particular tunnel. Currently, one tunnel is supported. set security ipsec tunnels name "123" dest-ext-address ip-address Speciﬁes the IP address of the destination gateway. set security ipsec tunnels name "123" dest-int-network ip-address Speciﬁes the IP address of the destination computer or internal network.
Page 272 set security ipsec tunnels name "123" IKE-mode pre-shared-key ("") {hex string} page 130 for details about SafeHarbour IPsec tunnel capability. Example: 0x1234 set security ipsec tunnels name "123" IKE-mode neg-method {main | aggressive} page 130 for details about SafeHarbour IPsec tunnel capability. Note: Aggressive Mode is a little faster, but it does not provide identity protection for nego- tiations nodes.
Page 273 "123" IKE-mode invalid-spi-recovery { off | on } Enables the Gateway to re-establish the tunnel if either the Netopia Gateway or the peer gateway is rebooted. set security ipsec tunnels name "123" xauth enable {off | on } Enables or disables Xauth extensions to IPsec, when IKE-mode neg-method is set to aggressive.
Page 274 set security ipsec tunnels name "123" local-id id_value Speciﬁes the NAT local ID value as speciﬁed in the local-id-type for the speciﬁed IPsec tunnel, when Aggressive Mode is set. ☛ Note: If subnet is selected, the following two values are used instead: set security ipsec tunnels name "123"...
Page 275: Internet Key Exchange (Ike) Settings
CONFIG Commands Internet Key Exchange (IKE) Settings The following four IPsec parameters conﬁgure the rekeying event. set security ipsec tunnels name "123" IKE-mode ipsec-soft-mbytes (1000) {1-1000000} set security ipsec tunnels name "123" IKE-mode ipsec-soft-seconds (82800) {60-1000000} set security ipsec tunnels name "123" IKE-mode ipsec-hard-mbytes (1200) {1-1000000} set security ipsec tunnels name "123"...
Page 276: Stateful Inspection
Stateful Inspection Stateful inspection options are accessed by the security state-insp tag. set security state-insp [ ip-ppp | dsl ] vcc n option [ off | on ] set security state-insp ethernet [ A | B ] option [ off | on ] Sets the stateful inspection option off or on on the speciﬁed interface.
Page 277: Example
CONFIG Commands set security state-insp udp-timeout [ 30 - 65535 ] Sets the stateful inspection UDP timeout interval, in seconds. set security state-insp xposed-addr exposed-address# " n " Allows you to add an entry to the speciﬁed list, or, if the list does not exist, creates the list for the stateful inspection feature.
Page 278: Packet Filtering Settings
set security state-insp xposed-addr exposed-address# " n " start-port [ 1 - 65535 ] set security state-insp xposed-addr exposed-address# " n " end-port [ 1 - 65535 ] Packet Filtering Settings Packet Filtering settings are supported beginning with Firmware Version 7.4. Packet Filtering has two parts: •...
Page 279 CONFIG Commands set security pkt-ﬁlter ﬁlterset ﬁlterset-name [ in | out ] index frc-rte [ on | off ] Turns forced routing on or off for the speciﬁed ﬁlter rule. A match on this rule will force a route for packets. The default is off. set security pkt-ﬁlter ﬁlterset ﬁlterset-name [ in | out ] index gateway ip_addr Speciﬁes the gateway IP address for forced routed packets, if forced routing is enabled.
Page 280 set security pkt-ﬁlter ﬁlterset ﬁlterset-name [ in | out ] index tos-mask value Speciﬁes the TOS (Type Of Service) mask to match packets. The value for tos-mask can be from 0 – 255. set security pkt-ﬁlter ﬁlterset ﬁlterset-name [ in | out ] index protocol value Speciﬁes the protocol value to match packets, the type of higher-layer Internet protocol the packet is carrying, such as TCP or UDP.
Page 281: Example
CONFIG Commands Operator Action Less than or equal to Equal to Greater than or equal to Greater than set security pkt-ﬁlter ﬁlterset ﬁlterset-name [ in | out ] index src-port value Speciﬁes the source IP port to match packets (the port on the sending host that originated the packet, if the underlying protocol is TCP or UDP).
Page 282: Snmp Settings
Identiﬁes the system contact, such as the name, phone number, beeper number, or email address of the person responsible for the Netopia Gateway. You can enter up to 255 char- acters for the contact_info argument. You must put the contact_info argument in double-quotes if it contains embedded spaces.
Page 283: Snmp Notify Type Settings
Netopia-3000/9437188. A system name can be 1 – 255 characters long. Once you have assigned a name to your Netopia Gateway, you can enter that name in the Address text ﬁeld of your browser to open a connection to your Netopia Gateway.
Page 284 { off | low | medium | high | alerts | failures } Speciﬁes the types of log messages you want the Netopia Gateway to record. All messages with a level equal to or greater than the level you specify are recorded. For example, if you specify set system diagnostic-level medium, the diagnostic log will retain medium-level informational messages, alerts, and failure messages.
Page 285 A password can be as many as 8 characters. Passwords are case-sensitive. Passwords go into effect immediately. You do not have to restart the Netopia Gateway for the password to take effect. Assigning an administrator or user password to a Netopia Gateway does not affect communications through the device.
Page 286 out, each heartbeat sequence will send out a total 20 heartbeats, spaced at 30 second intervals, and then sleep for 30 minutes. So to have the Gateway send out packets “forever”, this number can be set very high. If it is 1440 and the interval is 1 minute, say, the heartbeat will go out every minute for 1440 minutes, or one day, before sleep- ing.
Page 287 [ on | off ] Enables or disables the Zero Touch option. Zero Touch refers to automatic conﬁguration of your Netopia Gateway. The Netopia Gate- way has default settings such that initial connection to the Internet will succeed. If the zerotouch option is set to on, HTTP requests to any destination IP address except the IP address(es) of the conﬁgured redirection URL(s) will access a redirection server.
Page 288: Syslog
Syslog set system syslog option [ off | on ] Enables or disables system syslog feature. If syslog option is on, the following commands are available: set system syslog host-nameip [ ip_address | hostname ] Speciﬁes the syslog server’s address either in dotted decimal format or as a DNS name up to 64 characters.
Page 289 CONFIG Commands set security state-insp eth B option on • Type the command to enable the router to drop fragmented packets set security state-insp eth B deny-fragments on Enabling syslog: • Type config • Type the command to enable syslog set system syslog option on •...
Page 290: Wireless Settings (Supported Models)
{ off | at-startup | continuous } Speciﬁes the wireless AutoChannel Setting for 802.11G models. AutoChannel is a feature that allows the Netopia Gateway to determine the best channel to broadcast automatically. For details, see “Advanced” on page set wireless default-channel { 1...14 }...
Page 291 CONFIG Commands set wireless mode { both-b-and-g | b-only | g-only } Beginning with Netopia Firmware Version 7.5.1. speciﬁes the wireless operating mode for connecting wireless clients: both-b-and-g, b-only, or g-only, and locks the Gateway in that mode. ☛ NOTE: If you choose to limit the operating mode to B or G only, clients using the mode you excluded will not be able to connect.
Page 292 set wireless multi-ssid second-ssid-privacy { off | WEP | WPA-PSK | WPA-802.1x } set wireless multi-ssid third-ssid-privacy { off | WEP | WPA-PSK | WPA-802.1x } set wireless multi-ssid fourth-ssid-privacy { off | WEP | WPA-PSK | WPA-802.1x } Speciﬁes the type of privacy enabled on multiple SSIDs when multi-ssid option is set to on.
Page 293: Wireless Privacy Settings
CONFIG Commands set wireless multi-ssid second-ssid-wepkey { hexadecimal digits } set wireless multi-ssid third-ssid-wepkey { hexadecimal digits } set wireless multi-ssid fourth-ssid-wepkey { hexadecimal digits } Speciﬁes a WEP key for the multiple SSIDs, when second-, third-, or fourth-ssid-privacy is set to WEP. For 40/64bit encryption, you need 10 digits; 26 digits for 128bit, and 58 digits for 256bit WEP.
Page 294 protect your network and data from intruders. Note that 40bit is the same as 64bit and will work with either type of wireless client. The default is off. A single key is selected (see default-key) for encryption of outbound/transmitted packets. The WEP-enabled client must have the identical key, of the same length, in the identical slot (1..4) as the wireless Gateway, in order to successfully receive and decrypt the packet.
Page 295 CONFIG Commands set wireless network-id privacy encryption-key1 { hexadecimal digits } set wireless network-id privacy encryption-key2 { hexadecimal digits } set wireless network-id privacy encryption-key3 { hexadecimal digits } set wireless network-id privacy encryption-key4 { hexadecimal digits } The encryption keys. Enter keys using hexadecimal digits. For 40/64bit encryption, you need 10 digits;...
Page 296: Wireless Mac Address Authorization Settings
Wireless MAC Address Authorization Settings set wireless mac-auth option { on | off } Enabling this feature limits the MAC addresses that are allowed to access the LAN as well as the WAN to speciﬁed MAC (hardware) addresses. set wireless mac-auth wrlss-MAC-list mac-address MAC-address_string Enters a new MAC address into the MAC address authorization table.
Page 297: Vlan Settings
You must save the changes, exit out of conﬁguration mode, and restart the Gateway for the changes to take effect. Example: • Navigate to the VLAN item: Netopia-3000/9459252 (top)>> vlan Netopia-3000/9459252 (vlan)>> set vlan name (name) node list ... Select (name) node to modify from list, or enter new (name) to create.
Page 298 Netopia-3000/9459252 (vlan)>> • To make the VLAN vlan1 routable add the port lan-uplink: Netopia-3000/9459252 (vlan)>> name vlan1 Netopia-3000/9459252 (vlan name "vlan1")>> set "vlan1" id (52) [ 1 - 4095 ]: type (by-port) [ by-port ]: admin-restricted (off) [ off | on ]: port (port) node list ...
Page 299: Upnp Settings
PCs using UPnP can retrieve the Gateway’s WAN IP address, and automatically create NAT port maps. This means that applications that support UPnP, and are used with a UPnP- enabled Netopia Gateway, will not need application layer gateway support on the Netopia Gateway to work through NAT. The default is on.
Page 300: Tr-069
WAN link for some features and over the LAN for others. TR-069 allows a remote Auto-Conﬁg Server (ACS) to provision and manage the Netopia Gateway. TR-069 protects sensitive data on the Gateway by not advertising its presence, and by password protection.
Page 301 CONFIG Commands On units that support SSL, the format for the ACS URL can also be: https:// some_url.com : port_number https:// 123.45.678.910 : port_number...
Page 302: Vdsl Settings
VDSL Settings ☛ CAUTION! These settings are for very advanced users and lab technicians. Exercise extreme caution when modifying any of these settings. set vdsl sys-option [ 0x00 - 0xff ] sys-bandplan [ 0x00 - 0xff ] psd-mask-level [ 0x00 - 0xff ] pbo-k1_1 [ 0x00000000 - 0xffffffff ] pbo-k1_2 [ 0x00000000 - 0xffffffff ] pbo-k1_3 [ 0x00000000 - 0xffffffff ]...
Page 303: Vdsl Parameter Defaults
CONFIG Commands VDSL Parameter Defaults Parameter Default Meaning sys-option 0x00 VDSL system option(bit0=ntr, 1=margin, 2=ini, 3=pbo, 4=tlan, 5=pbo) sys-bandplan 0x02 VDSL system bandplan(bp_3_998_4=2, bp4_997_3=3, bp5_997_3=4…) psd-mask-level 0x00 VDSL system psd mask(def=0, 1=ansim1cab, 2=ansim2cab, 3=etsim1cab, 4=etsim2cab) pbo-k1_1 0x00 VDSL system power back-off k1_1 pbo-k1_2 0x00 VDSL system power back-off k1_2...
Page 304: Vdsl Parameters Accepted Values
VDSL Parameters Accepted Values Parameter Accepted Values sys-option Bit[0]: NTR_DISABLE Bit[1]: ALW_MARGIN_ADJUST. 1: the SNR margin for the optional band is reduced by up to 2.5 dB, but never below a minimum of 4 dB. Bit[2]: SUPPORT_INI Bit[4]: TLAN Enable Bit[5]: PBO Weak mode Enable (Applicable only when PBO Bit[3]=0.
Page 305: Vdsl Parameters Accepted Values
CONFIG Commands VDSL Parameters Accepted Values Parameter Accepted Values sys-bandplan BP1_998_3 (0x00) BP2_998_3 (0x01) BP998_3B_8_5M (0x01) BP3_998_4 (0x02) BP998_4B_12M (0x02) BP4_997_3 (0x03) BP997_3B_7_1M (0x03) BP5_997_3 (0x04) BP6_997_4 (0x05) BP997_4B_7_1M (0x05) BP7_MXU_3 (0x06) FLEX_3B_8_5M (0x06) BP8_MXU_2 (0x07) BP9_998_2 (0x08) BP10_998_2 (0x09) BP998_2B_3_8M (0x09) BP11_998_2 (0x0A)
Page 306 VDSL Parameters Accepted Values Parameter Accepted Values psd-mask-level 0x00 -- default mask (old gains from before) 0x01 -- ANSI M1 CAB 0x02 -- ANSI M2 CAB 0x03 -- ETSI M1 CAB 0x04 -- ETSI M2 CAB 0x05 -- ITU-T Annex F (Japan) 0x06 - ANSI M1 Ex 0x07 - ANSI M2 Ex 0x08 -- ETSI M1 Ex...
Page 307 CONFIG Commands VDSL Parameters Accepted Values Parameter Accepted Values port-bandplan BP1_998_3 (0x00) BP2_998_3 (0x01) BP998_3B_8_5M (0x01) BP3_998_4 (0x02) BP998_4B_12M (0x02) BP4_997_3 (0x03) BP997_3B_7_1M (0x03) BP5_997_3 (0x04) BP6_997_4 (0x05) BP997_4B_7_1M (0x05) BP7_MXU_3 (0x06) FLEX_3B_8_5M (0x06) BP8_MXU_2 (0x07) BP9_998_2 (0x08) BP10_998_2 (0x09) BP998_2B_3_8M (0x09) BP11_998_2 (0x0A)
Page 308 VDSL Parameters Accepted Values Parameter Accepted Values framing-mode HDLC – 0x80 AUTO – 0x90 ATM – 0x00 band-mod Bit 0, 1: Tx Cfg band 1- All tones on 2- All tones below 640 Khz are turned off 3- All tones below 1.1 Mhz are turned off Bit 2,3: Not used Bit 4,5: Rx Cfg band 1- All tones on...
Page 309 CONFIG Commands VDSL Parameters Accepted Values Parameter Accepted Values rx-ﬁlter 0: using internal ﬁlter in Rx path 1: using K1 external ﬁlter in Rx path (for Korea VLR Application) 2: using U1 external ﬁlter in Rx path (for US / Korea VLR Application) 3: using H1 external ﬁlter in Rx path (for 100/100 Application) dying-gasp...
Page 311: Chapter 7 Glossary
Glossary CHAPTER 7 10Base-T. IEEE 802.3 speciﬁcation for Ethernet that uses unshielded twisted pair (UTP) wiring with RJ-45 eight-conductor plugs at each end. Runs at 10 Mbps. 100Base-T. IEEE 802.3 speciﬁcation for Ethernet that uses unshielded twisted pair (UTP) wiring with RJ-45 eight-conductor plugs at each end. Runs at 100 Mbps.
Page 312 ADSL. Asymmetric Digital Subscriber Line. Modems attached to twisted pair copper wiring that transmit 1.5-9 Mbps downstream (to the subscriber) and 16 -640 kbps upstream, depending on line distance. (Downstream rates are usually lower that 1.5Mbps in practice.) AH. The Authentication Header provides data origin authentication, connec- tionless integrity, and anti-replay protection services.
Page 313 BRI. Basic Rate Interface. ISDN standard for provision of low-speed ISDN services (two B channels (64 kbps each) and one D channel (16 kbps)) over a single wire pair. bridge. Device that passes packets between two network segments accord- ing to the packets' destination address. broadcast.
Page 314 Cable that lets you connect a port on one Ethernet hub to a port on another Ethernet hub. You can order an Ethernet crossover cable from Netopia, if needed. CSU/DSU. Channel Service Unit/Data Service Unit. Device responsible for connecting a digital circuit, such as a T1 link, with a terminal or data com- munications device.
Page 315 Difﬁe-Hellman. A group of key-agreement algorithms that let two computers compute a key independently without exchanging the actual key. It can gen- erate an unbiased secret key over an insecure medium. diffserv. Differentiated Services. A method for controlling Quality of Service (QoS) queue priority settings.
Page 316 encapsulation. Technique used to enclose information formatted for one protocol, such as AppleTalk, within a packet formatted for a different proto- col, such as TCP/IP. Encrypt Protocol. Encryption protocol for the tunnel session. Parameter values supported include NONE or ESP. encryption.
Page 317 FTP. File Transfer Protocol. Application protocol that lets one IP node trans- fer ﬁles to and from another node. FTP server. Host on network from which clients can transfer ﬁles. -----H----- Hard MBytes. Setting the Hard MBytes parameter forces the renegotiation of the IPSec Security Associations (SAs) at the conﬁgured Hard MByte value.
Page 318 The Netopia Gateway works like a network super trafﬁc cop, inspecting and ﬁlter- ing out undesired trafﬁc based on your security policy and resulting conﬁgu- ration.
Page 319 -----K----- Key Management . The Key Management algorithm manages the exchange of security keys in the IPSec protocol architecture. SafeHarbour supports the standard Internet Key Exchange (IKE) -----L----- LCP. Link Control Protocol. Protocol responsible for negotiating connection conﬁguration parameters, authenticating peers on the link, determining whether a link is functioning properly, and terminating the link.
Page 320 An SSID differentiates one wireless network from another, so all access points and all devices attempting to connect to a spe- ciﬁc network must use the same SSID. Netopia Gateways support up to four SSIDs. SSIDs are also sometimes referred to as Network Names because they are names that identify wireless networks.
Page 321 Aggressive Mode. Main mode requires 3 two-way message exchanges while Aggressive mode only requires 3 total message exchanges. null modem. Cable or connection device used to connect two computing devices directly rather than over a network. -----P----- packet. Logical grouping of information that includes a header and data. Compare frame, datagram.
Page 322 PPP. Point-to-Point Protocol. Provides a method for transmitting datagrams over serial router-to-router or host-to-network connections using synchronous or asynchronous circuits. Pre-Shared Key. The Pre-Shared Key is a parameter used for authenticating each side. The value can be an ASCII or Hex and a maximum of 64 charac- ters.
Page 323 route. Path through a network from one node to another. A large internet- work can have several alternate routes from a source to a destination. routing table. Table stored in a router or other networking device that records available routes and distances for remote network destinations. -----S----- SA Encrypt Type.
Page 324 STATEFUL. The Netopia Gateway monitors and maintains the state of any network transaction. In terms of network request-and-reply, state consists of the source IP address, destination IP address, communication ports, and data sequence.
Page 325 -----T----- telnet. IP protocol that lets a user on one host establish and use a virtual terminal connection to a remote host. TR-064. TR-064 is a LAN-side DSL Gateway conﬁguration speciﬁcation; an extension of UPnP. It deﬁnes more services to locally manage a Gateway. TR-069.
Page 326 -----W----- WAN. Wide Area Network. Private network facilities, usually offered by pub- lic telephone companies but increasingly available from alternative access providers (sometimes called Competitive Access Providers, or CAPs), that link business network nodes. WWW. World Wide Web. -----X----- XAuth. Extended Authentication. An extension to the Internet Key Exchange (IKE) protocol, for IPSec tunnelling.
Page 327: Technical Specifications And Safety Information
2200-Series Wireless Models: 1.2"(3.0cm) H, 8.7" (22.0 cm) W, 5.2"(13.2cm) L Communications interfaces: The Netopia Gateways have an RJ-11 jack for DSL line connections or an RJ-45 jack for cable/DSL modem connections and 1 or 4–port 10/100Base-T Ethernet switch for your LAN connections. Some models have a USB port that can be used to connect to your PC;...
Page 328: Relative Storage Humidity
Relative storage humidity: 20 to 80% noncondensing Software and protocols Software media: Software preloaded on internal ﬂash memory; ﬁeld upgrades done via download to internal ﬂash memory via TFTP or web upload. (does not apply to 3342/3352) Routing: TCP/IP Internet Protocol Suite, RIP WAN support: PPPoA, PPPoE, DHCP, static IP address Security:...
Page 329: Agency Approvals
Regulatory notices European Community. This Netopia product conforms to the European Community CE Mark standard for the design and manufacturing of information technology equipment. This standard covers a broad area of product design, including RF emissions and immunity from electrical...
Page 330: Manufacturer's Declaration Of Conformance
This restriction applies regardless of whether the equipment is in or our of warranty. It is the responsibility of users requiring service to report the need for service to our Company or to one of our authorized agents. Service can be obtained at Netopia, Inc., 6001 Shellmound Street, Emeryville, California, 94608. Telephone: 510-597-5400.
Page 331: Canada
Manufacturer’s Declaration of Conformance ☛ Important This product was tested for FCC compliance under conditions that included the use of shielded cables and connectors between system components. Changes or modiﬁca- tions to this product not authorized by the manufacturer could void your authority to operate the equipment.
Page 332: Important Safety Instructions
Important Safety Instructions Australian Safety Information The following safety information is provided in conformance with Australian safety requirements: Caution DO NOT USE BEFORE READING THE INSTRUCTIONS: Do not connect the Ethernet ports to a carrier or carriage service provider’s telecommunications network or facility unless: a) you have the written consent of the network or facility manager, or b) the connection is in accordance with a connection permit or connection rules.
Page 333: 47 Cfr Part 68 Information
47 CFR Part 68 Information 47 CFR Part 68 Information FCC Requirements The Federal Communications Commission (FCC) has established Rules which permit this device to be directly connected to the telephone network. Standardized jacks are used for these connections. This equipment should not be used on party lines or coin phones. If this device is malfunctioning, it may also be causing harm to the telephone network;...
Page 334: Electrical Safety Advisory
If this happens the telephone company will provide advance notice in order for you to make necessary modiﬁcations to maintain uninterrupted service. g) If trouble is experienced with this equipment, the Netopia 3300- or 2200-Series router, for repair or warranty information, please contact:...
Page 335: Chapter 9 Overview Of Major Capabilities
Built-in DHCP and DNS proxy features minimize or eliminate the need to program any network conﬁguration into your home personal computer. • “Management” on page 338 A Web server built into the Netopia Operating System makes setup and maintenance easy using standard browsers. Diagnostic tools facilitate troubleshooting. • “Security” on page 339 Network Address Translation (NAT), password protection, Stateful Inspection ﬁrewall...
Page 336: Wide Area Network Termination
While an Always On connection is convenient, it does leave your network permanently con- nected to the Internet, and therefore potentially vulnerable to attacks. Netopia's Instant On technology furnishes almost all the beneﬁts of an Always-On connec- tion while providing two additional security beneﬁts: •...
Page 337: Simplified Local Area Network Setup
URL (Universal Resource Locator) as text to surf to a desired web- site. The Netopia DNS Proxy feature allows the LAN-side IP address of the Gateway to be used for proxying DNS requests from hosts on the LAN to the DNS Servers conﬁgured in the gateway.
Page 338: Management
System and security logs • Diagnostics functions Once you have removed your Netopia Gateway from its packing container and powered the unit up, use any LAN attached PC or workstation running a common web browser applica- tion to conﬁgure and monitor the Gateway.
Page 339: Security
Gateway. This access can be turned on or off in the Web interface. Password Protection Access to your Netopia device can be controlled through two access control accounts, Admin or User. The Admin, or administrative user, performs all conﬁguration, management or mainte- •...
Page 340: Ethernet Interface Lan
It routes packets received from remote networks to the correct computer on the LAN (Ethernet) interface. When NAT is OFF, a Netopia Gateway acts as a traditional TCP/IP router, all LAN com- • puters/devices are exposed to the Internet.
Page 341: Netopia Advanced Features For Nat
☛ NOTE: 1. The default setting for NAT is ON. 2. Netopia uses Port Address Translation (PAT) to implement the NAT facility. 3. NAT Pinhole trafﬁc (discussed below) is always initiated from the WAN side. Netopia Advanced Features for NAT Using the NAT facility provides effective LAN security.
Page 342: Default Server
Common TCP/IP protocols and ports are: FTP (TCP 21) telnet (TCP 23) SMTP (TCP 25) HTTP (TCP 80) SNMP (TCP 161, UDP 161) page 75 for How To instructions. Default Server This feature allows you to: • Direct your Gateway to forward all externally initiated IP trafﬁc (TCP and UDP protocols only) to a default host on the LAN.
Page 343: Ip-Passthrough
Security IP-Passthrough Netopia OS now offers an IP passthrough feature. The IP passthrough feature allows a sin- gle PC on the LAN to have the Gateway’s public address assigned to it. It also provides PAT (NAPT) via the same public IP address for all other hosts on the private LAN subnet.
Page 344: Vpn Ipsec Tunnel Termination
Typically, no special conﬁguration is necessary to use the IPSec pass through feature. In the diagram, VPN PC clients are shown behind the Netopia Gateway and the secure server is at Corporate Headquarters across the WAN. You cannot have your secure server behind the Netopia Gateway.
Page 345: Index
Index Navigating Prompt 225, Restart command SHELL mode Symbols View command !! command Command ARP 226, Ping Access the GUI Telnet Address resolution table Command line interface (see Administrative CLI) restrictions Community Administrator password 39, Compression, protocol 123, Concurrent Bridging/ Arguments, CLI Routing 104, CONFIG...
Page 346 DSL Forum settings output using 163, viewing firewall Echo request echo-period Embedded Web Server Ethernet address Ethernet statistics Hardware address hijacking Hop count HTTP traffic Feature Keys Obtaining filter parts ICMP Echo parts of IGMP Snooping filter priority Install filter set Install Certificate adding IP address 250,...
Page 347 Install Software Quickstart 48, 50, Local Area Network Password Location, SNMP Administrator 39, 123, Logging in User 39, 123, lost echoes persistent-log Ping Ping command Pinholes 262, Magic number Planning Memory policy-based routing Metric Port authentication Multiple SSIDs port number Multiple Wireless SSIDs comparisons Wireless 62,...
Page 348 Restrictions system heartbeat RIP 251, command Routing Information Protocol system name (RIP) 251, command system command system password Secondary nameserver command Secure Sockets Layer set system syslog Security wireless option filters command Security log Set wireless user-auth option bncp command 242, command 243, SHELL...
Page 349 Syslog System contact, SNMP Wide Area Network System diagnostics Wireless system idle-timeout Zero Touch Telnet 224, Telnet command Telnet traffic TFTP TFTP server Toolbar TOS bit 157, TraceRoute 216, Trap Trivial File Transfer Protocol Truncation UPnP User name User password 39, 123, set atm 242, View command view config...
Page 351 Netopia 2200 and 3300 series by Netopia Netopia, Inc. 6001 Shellmound Street Emeryville, CA 94608 April 10, 2006...

This manual is also suitable for:

3300 series 3342 3356 Firmware version 7.6

Netopia 2200 series Software User's Manual

CHAPTER 1 Introduction

CHAPTER 2 Basic Mode Setup

CHAPTER 3 Expert Mode

CHAPTER 4 Basic Troubleshooting

CHAPTER 5 Advanced Troubleshooting

CHAPTER 6 Command Line Interface

CHAPTER 7 Glossary

CHAPTER 8 Technical Specifications and Safety Information

Quick Links

Troubleshooting

Related Manuals for Netopia 2200 series

Summary of Contents for Netopia 2200 series